Provisional application 61/542,786, filed Oct. 3, 2011, the entire contents of which are hereby incorporated by reference for all purposes as if fully set forth herein, describes techniques for computer program security. In particular, the 786 application describes techniques for improving the resistance of virtualized computer programs against various kinds of unauthorized use or attacks. This disclosure presumes familiarity with the 786 application and addresses techniques for automatically ensuring that updated computer program data versions, or security modifications to computer programs that have been implemented by the prior disclosure, conform to expected standards of operation and for taking responsive actions if variances are detected.
Computer programs that operate on servers that are accessible over the public Internet, and in other contexts, are known to have vulnerabilities to various kinds of attacks. Certain attacks are implemented by installing unauthorized or malicious code into the programs and causing execution of the foreign code.
Virtualization is a technique with which multiple different host operating systems, with associated computer programs, can run on a single computer or processor under control of a supervisory program, which may be a hypervisor. The use of virtualization creates new opportunities for attacks and new kinds of security vulnerabilities.
The SecVisor academic research project uses permissions bits maintained in an operating system page table to determine whether a page is writable or executable and to set page permissions so that pages of program code are not executable if they are also writable. However, SecVisor provides no mechanism for interworking with the memory page permissions that are maintained in a hypervisor or in a virtual machine monitor (VMM) that is closely coupled to a virtualization-optimized CPU, such as Xen on Intel processors.
Xen has provided the ability for a privileged domain to register on a hypercall interface for a memory event that is served by the memory handler of the hypervisor. Memory events have been used for demand paging of the domain, for example, for disk swapping of memory pages. Programs listening on memory events could use a different hypercall to read or write pages from or to disk and update page type values to indicate that the pages have been paged in or out. Xen implements a memory page framework denoted p2m that manages memory page type values for the purpose of supporting different uses of memory. For example, when a memory page has been paged out to disk, the memory page type value for that page may be set to “swapped out” (p2m_ram_paged) because the page is unavailable. This type is then converted to a memory access permission of not-readable. If a program attempts to read the page, Xen p2m throws a page fault and its page fault handler will page the memory in from disk, update the memory page type value to a paged-in type (which is converted to an access permission of readable), and return control to the program that caused the fault. Additional memory types exist for pages that are emulating hardware—and thus should cause the I/O emulator to react as if the memory access were a bus access to a peripheral. Additional page types are for shared memory between domains. However, none of the page types represent access permissions different from their type or usage, and thus make altering or restricting memory access permissions further for security—for example, of the content, rather than the emulation purpose—of the page impossible.
The provisional disclosure referenced above describes various ways to modify a computer program, especially those that run in virtual computer environments, to improve the security of computer program memory to attacks that seek to modify instructions or data. When a large number of computer programs are subject to security reviews and modification, the number of modifications may become too great to permit individual human evaluation for correctness. In addition, using manual work may be impractical to identify or anticipate all possible aspects of a computer program that need to be checked for correctness after various security techniques are implemented on that program.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.